Your Gadgets Are Springing Leaks

Handheld electronics travel everywhere in your company, spilling data along the way. Here's how to plug the holes.

1 2 3 Page 2
Page 2 of 3

Like any other IT or business initiative, a successful strategy for controlling the use of removable media requires thoughtful planning, careful execution and the right tools.

“There’s actually a balance that has to be considered,” says Rena Mears, national and global service line leader for privacy and data protection at Deloitte & Touche LLP in New York.

Senior officers have to think of the company’s data as an asset and consider what has the highest value, what is most at risk, what protections are necessary and who should have access to what, Mears says. They have to weigh all that against the need to conduct business in an efficient manner, which today, like it or not, involves miniature mobile devices, she says.

“You have to balance the protection and the productivity. You don’t want to absolutely ban people from using these things,” says Bill Boni, corporate information security officer at Motorola Inc. in Schaumburg, Ill., and international vice president at the ISACA. Companies need to “make risk-based decisions that are acceptable to them,” Boni adds.

Find the Right Fit

SystemExperts’ Gossels and Richard Mackey, vice president of consulting at the company, recommend a multi­pronged approach. First, develop a policy that defines what the company considers acceptable use of these devices. Some companies might decide to limit the use of USB flash drives to specific machines and workers. Others might decide to disable all USB ports in highly sensitive environments.

Gossels and Mackey say that companies must then back up their policy with technical solutions, being sure that their virus scans, for example, extend to devices plugged into USB ports. They must decide which devices need password protections and what data needs encryption so the loss or theft of a PDA or smart phone won’t put confidential information at risk.

Chris Kashner, a desktop consulting specialist at Highmark Blue Cross Blue Shield in Pittsburgh, has successfully brought such devices into his organization while protecting network and data security. Kashner started last year by looking at what workers were plugging into the network. The audit found “a lot of MP3 players and more flash drives than we ever imagined,” he says.

Kashner then worked with others to develop companywide policies and explain the new rules to Highmark’s 13,000 employees. He also implemented Pointsec Device Protector, which allows the company to enforce its policies. For example, flash drives that don’t belong to Highmark are set to read only.

Moreover, Kashner says that because Highmark allows only company- purchased devices, it can enforce its encryption policies, which means no data goes out the door unprotected.

Such measures take companies one step closer to the more comprehensive solution that some experts advocate: protection that follows the data itself.

“The answer isn’t to try to control devices. The answer is to control the data,” Anderson says. To do that effectively, he says, companies not only need policies about the approved use of these devices, but also, more important, data classification policies that teach workers how to properly recognize, classify and handle sensitive material.

Jim Molini, principal information security engineer at The Mitre Corp., a not-for-profit IT services company in McLean, Va., knows firsthand why that’s so important. He once asked to transfer files to a client’s system using a flash drive, but his client said such devices were prohibited. Instead, Molini had to put the material on a CD. He wonders, Was the data — or system — any more secure by using a CD instead of a flash drive? Molini says he doubts it, considering that the CD now contains a permanent record of the sensitive information.

“We’re finding more and more that where the data is located is irrelevant,” he says. Ultimately, it’s about the protection of the data, wherever it may reside.

1 2 3 Page 2
Page 2 of 3
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon